Farelf Posted January 5, 2010 Share Posted January 5, 2010 Link provided in GRC newgroups by paradoX and Al: http://www.dshield.org/diary.html?storyid=7867 ...Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included java scri_pt in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here). After extracting the included java scri_pt code, the shellcode that it uses looked quite a bit different than what we can usually see in such exploits: this shellcode was only 38 bytes long! Initially I even thought that it does not work, but after studying it a little bit, I found that this particular PDF document has some very interesting, sophisticated characteristics. ... Lessons learned Not only was this a very interesting example of a malicious PDF document carrying a sophisticated "war head", but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims. ... Which should be enough to make one check that their PDF reader has java scri_pt disabled. Adobe Reader 9 Edit-Preferences-java scri_pt (uncheck top box). Not sure about browser 'helper' applications. Note these may be targeted attacks with very plausible cover stories and AV detection rates may be low/very low (I see Symantec have removed themselves from the VirusTotal battery again - lor' bless 'em). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.